malwarewikiaorg-20200223-history
Ryuk
Ryuk is a ransomware family derived from Hermes that runs on Microsoft Windows Operating Systems. It has made over $640,000+ worth of Bitcoin. It is aimed at English-speaking users. It is named after the Japanese manga character of the same name from the series Death Note. On October 15th, 2018, Ryuk attacked the Onslow Water and Sewer Authority (OWASA), causing disruptions in their network. On December 27th, 2018, Ryuk ransomware hit Tribune Publishing newsprint organizations and disabled their ability to print papers. The incident was discovered late at night when one editor could not send finished pages to the printing service. The issue was quickly fixed and no more damage discovered on the network. On March 9th, 2019, Ryuk attacked Jackson County, Georgia and got $400,000. On July 6th, 2019, Ryuk attacked La Porte, a county in Indonesia. This resulted in the county paying over $130,000 to recover data on computer systems impacted by Ryuk. On September 5th, 2019, Ryuk attacked New Bedford, Massachusetts. It asked for $5.3 million to decrypt the data. None of the victims paid it. On September 11th, 2019, a variant of Ryuk stole confidential financial, military, and law enforcement files. On October 1st, 2019, DCH Health System, which includes the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center in West Alabama's Tuscaloosa, Northport, and Fayette, were affected by Ryuk that forced the health systems to shut down their computer systems and to stop accepting new non-emergency patients. Over the weekend, DCH issued an updated statement regarding the incident and said that some systems were being restored from backups, but they pay the ransom and purchase the Ryuk decryption key in order to restore access to other encrypted systems. DCH has not stated how much they paid for the decryptor, but have confirmed that they have successfully decrypted multiple encrypted servers. On November 20th, 2019, Ryuk attacked National Veterinary Associates. In the attack, it affected 400 clinics across the country. On November 27th, 2019, Ryuk attacked Spanish multinational security company Prosegur. The company restricted communications with its customers to avoid malware propagation. On December 9th, 2019, Ryuk's encryption was modified in order to increase its encryption speed. This caused a bug in the decryptor which could lead to data loss in large files. On December 13th, 2019, Ryuk attacked New Orleans. During a press conference on Friday, the mayor confirmed that it was a ransomware attack, and that its activity started around 5 a.m. that morning. The city spotted the suspicious activity on its networks around 11 a.m., at which point it basically turned itself off. On December 26th, 2019, a new version of Ryuk was released that will purposely avoid encrypting folders commonly seen in *NIX operating systems. On December 27th, 2019, Ryuk attacked an entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility. On January 24th, 2020, Florida newspaper The Tampa Bay Times suffered a Ryuk ransomware attack on Thursday. It did not result in any breached data. Sensitive customer information, such as subscriber addresses and credit card details, was not disclosed in the breach, the newspaper said. Payload Transmission Ryuk spreads via targeted attacks, with the Ryuk crew targeting selected companies one at a time, either via spear-phishing emails or Internet-exposed and poorly secured RDP connections. Ryuk is also capable of lateral spreading and movement, to add damage. Ryuk may come with a packed and encrypted dropper, that will dropped into the Public user folder or into the Documents and Settings\Public User in XP, with a random number name generated through GetTickCount and _srand64 ; Ryuk comes in both 32-bit and 64-bit versions, that the dropper selects and runs using ShellExecuteW and IsWow64Process to tell the machine architecture. If creating Ryuk doesn't work in this way, the dropper will create it in the current directory, with the same name generation algorithm and V appended at the beginning of the file name. Infection When Ryuk is run by the dropper, it sleeps randomly in a certain interval. After, it checks it's arguments for a directory, that it deletes to cover the tracks of intrusion. Ryuk will use taskkill to terminate certain processes, will acquire SeDebugPrivilege by using AdjustTokenPrivileges and it will scan for the processes explorer.exe, lsass.exe and csrss.exe, but it may target any process as well. After finding one process, it will call VirtualAllocEx , CreateRemoteThread, VirtualFreeEx and WriteProcessMemory to load into the process a shellcode, with a hardcoded address into the process that makes the whole algorithm instable. The shellcode, after, will load a list of APIs and check it's privileges by trying to write a file into the SYSTEM folder by using CreateFileW, if it works the ransomware will then create two files in the Public User For XP and Public for Vista and above. User folders PUBLIC , the RSA-4096 public key of the author and UNIQUE_ID_DO_NOT_REMOVE, the ID generated from the ransomware. After, the ransomware will istance the AES \ RSA CryptoAPI provider CryptAcquireContext; it will generate a RSA key pair by using CryptGenKey , and it will encrypt the private part of it with the hardcoded RSA public key PUBLIC file, making the ID UNIQUE_ID_DO_NOT_REMOVE file. The ransomware will scan for every folder and every file in every drive, and it will encrypt every file that doesn't have the .exe, .hrmlog which is the Hermes ransomware log, and .dll ; it will also skip the folders Windows, Mozilla, Chrome, Recycle Bin and Ahnlab also taken from Hermes ransomware. For every file, the ransomware will generate an AES-256 key, by using CryptGenKey , it will export it by using CryptExportKey and it will encrypt the key with the public part of the RSA key pair generated before, using CryptEncrypt. CreateFile, ReadFile and WriteFile are all used to open, read and write to the file. Ryuk doesn't append any extension, instead appending a header and marker with HERMES string and with the encrypted AES-256 key into the file. CryptDestroyKey is after used to delete the file key from memory. The ransomware will then, after the encryption of every drive import WNetOpenEnum and WNetEnumResource from MPR.DLL to enumerate shared folders and LAN computers, to spread into them and encrypt every file into them on XP and Vista, from Windows 7 to Windows 10 will use GetIpNetTable instead, and it will access shares directly. The ransomware then will create a BAT file Windows.bat, with various vssadmin commands that will resize and wipe Shadow Copies, and executes it. In every folder, a file RyukReadMe.html will be placed. The new text file delivers a message that informs victims of the encryption and encourages them to pay a ransom to restore their data. Ryuk uses RSA-4096 and AES-256 encryption algorithms, both military-grade encryption algorithms. Restoring data is impossible, and each victim is forced to pay a ransom in exchange for their release. Text presented in Ryuk ransomware text file RyukReadMe.txt: Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails contacts are at the bottom of the sheet and attach 2-3 encrypted files Less than 5 Mb each, non-archived and your files should not contain valuable information Databases, backups, large excel sheets, etc.. You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails eliasmarco@tutanota.com or CamdenScott@protonmail.com BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe Variants Updates: On June 18th, 2019, a new variant of the Ryuk ransomware has been discovered that adds IP address and computer blacklisting so that matching computers will not be encrypted. If the computer passes these checks, then it will encrypt the computer as usual and append the '' .RYK '' extension to encrypted files. It will also create the RyukReadMe.html'' '' ransom note, that contains the phrase balance of shadow universe'' and email addresses that can be contacted for payment instructions, as additional ransom note. The email addresses that are currently being used in the ransom notes are '' ''sorcinacin@protonmail.com ''and neyhyretim@protonmail.com. Media Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan Category:Virus Category:Win32 virus